Announcing new releases Alpha 3665.0.0, Beta 3602.1.3, Stable 3510.2.5, LTS 3033.3.15

[Flatcar Container Linux User]

Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, LTS channel.

New Alpha Release 3665.0.0

Changes since Alpha 3654.0.0

Security fixes:

• binutils (CVE-2022-38533, CVE-2022-4285, CVE-2023-1579, CVE-2023-2222)
• ncurses (CVE-2023-29491)
• protobuf (CVE-2022-1941)

Changes:

•  Dropped support for niftycloud and interoute. For interoute we haven’t been generating the images for some time already.

Updates:

• Linux (6.1.38)
• Linux Firmware (20230625)
• binutils (2.40)
• containerd (1.7.2)
• elfutils (0.189)
• glib (2.76.3)
• ldb (2.4.4 (includes 2.4.3, 2.4.2))
• lua (5.4.4)
• ncurses (6.4)
• nettle (3.9.1)
• nmap (7.94)
• pax-utils (1.3.7)
• protobuf (21.9)
• python (3.11.3)
• talloc (2.4.0 (includes 2.3.4))
• tdb (1.4.8 (includes 1.4.7, 1.4.6))
• tevent (0.14.1 (includes 0.14.0, 0.13.0, 0.12.1, 0.12.0))
• SDK: perf (6.3)
• SDK: perl (5.36.1)
• SDK: qemu (7.2.3)

New Beta Release 3602.1.3

Changes since Beta 3602.1.2

Updates:

• Linux (5.15.120)

New Stable Release 3510.2.5

Changes since Stable 3510.2.4

Security fixes:

• Linux (CVE-2023-3338, CVE-2023-3390)

Bug fixes:

• Resolved the conflicting FD usage of libselinux and systemd which caused, e.g., a systemd crash on certain watchdog interaction during shutdown (patch in systemd 252.11)

Updates:

• Linux (5.15.119 (includes 5.15.118))
• systemd (252.11 (from 252.5))

New LTS Release 3033.3.15

Changes since LTS 3033.3.14

Security fixes:

• Linux (CVE-2023-3338)

Bug fixes:Changes:

• Changed ext4 inode size of root partition to 256 bytes. This improves compatibility with applications and is necessary for 2038 readiness (Flatcar#1082)

Updates:

• Linux (5.10.186 (includes 5.10.185))
• ca-certificates (3.91)

Detailed Security Report

Security fix: With the Alpha 3665.0.0, Beta 3602.1.3, Stable 3510.2.5, LTS 3033.3.15 release(s) we ship fixes for the CVEs listed below.

Alpha 3665.0.0

• binutils

  • CVE-2022-38533 CVSSv3 score: 5.5(Medium)
    In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file.
  • CVE-2022-4285 CVSSv3 score: 5.5(Medium)
    An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.
  • CVE-2023-1579 CVSSv3 score: 7.8(High)
    Heap based buffer overflow in binutils-gdb/bfd/libbfd.c in bfd_getl64.
  • CVE-2023-2222 CVSSv3 score: n/a
    A vulnerability was found in binutils where, objdump SEGV in concat_filename() at dwarf2.c:2060.

• ncurses

  • CVE-2023-29491 CVSSv3 score: 7.8(High)
    ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

• protobuf

  • CVE-2022-1941 CVSSv3 score: 7.5(High)
    A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Stable 3510.2.3

• Linux
  • CVE-2023-3338 CVSSv3 score: 7.5(High)
    A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system.
  • CVE-2023-3390 CVSSv3 score: n/a
    A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c.
    Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue.
    We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97.

LTS 3033.3.15

• Linux
  • CVE-2023-3338 CVSSv3 score: 7.5(High)
    A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system.

Best,
The Flatcar Container Linux Maintainers